Microsoft Says, Don't Press the F1 Key In XP 324
Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."
Re:Yet another reason (Score:4, Interesting)
Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?
Does it affect Firefox on XP? (Score:3, Interesting)
Re:MS was concerned about how this was exposed? (Score:3, Interesting)
It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.
Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "good guys" can bid, too.
Re:Only MSIE users (Score:3, Interesting)
Re:Well, at least the important keys still work. (Score:2, Interesting)
First you say it really doesn't matter if Windows users know anything about how their system is set up and how things work, but then go on to explain how their ignorance about how things work is their greatest weakness. You pretty much defeat defeat your own argument without realizing it.
Damn! (Score:3, Interesting)
I'll have to stop missing the ESC and ~ key!
Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.
Re:To read the rest of this article... (Score:3, Interesting)
Microsoft Interview (Score:4, Interesting)
Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.
Re:Yet another reason (Score:5, Interesting)
The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.
Oops! (Score:2, Interesting)
I hit F1 by accident at least once a day trying for the Esc key.
Re:Well, at least the important keys still work. (Score:3, Interesting)
I take it you have never had a "classic" car with drum brakes all around. I assure you that drum brakes can suddenly stop working; they are far more susceptible to fade than disc brakes with vented rotors, and if you don't know to ride the brakes a bit after driving through puddles if you have drum brakes (to boil off the nice layer of water that ends up being a great lubricant on the shoes) you can end up with NO braking "power." There is good reason a lot of owners of antique R^HMustangs upgrade to front disc brakes even for non-performance builds.
Re:MS was concerned about how this was exposed? (Score:4, Interesting)
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.
IN A TIMELY MANNER.
You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.
In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.
In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.
In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.
This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.
In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ [sans.org] One of their points was:
"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."
To demonstrate this issue they enumerated the history of MS08-031:
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.
What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.
Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).
Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?
Miles
Re:Well, at least the important keys still work. (Score:1, Interesting)
Umm, this patch would have you assume that the program HELPCTR.EXE is the culprit. Its not, its the way that HELPCTR.EXE is called that is the security problem. So, even before dummy.exe gets called, you already vunerable. bummer -Killmofasta
This is simply horrifying (Score:2, Interesting)
Whenever I had to admin a windows network, this is the one goddamn key I wish my users would have hit before picking up the phone.
And now they won't because they don't want to get virus?
I mean, I don't really care any more since I support Linux, but, shit man, I feel bad. That's just not right.
Better to just not press any keys in Windows XP (Score:4, Interesting)
If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.
Re:Yet another reason (Score:1, Interesting)
Interesting theory. Entirely wrong, of course, since IE actually started out as Spyglass Mosaic, which MS licensed, renamed, and started selling. (The agreement stated that Spyglass received royalties for every copy of IE that Microsoft sold, prompting MS to start giving it away free. Worked out for us, not so much for Spyglass.)